Compromised user information included names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password, according to The New York Times. Yahoo is now taking steps it declined to take previously – making affected users change their passwords and scrubbing unencrypted security questions.

Yahoo discovered the 2013 compromise after analyzing data files law enforcement provided after an unnamed third party claimed to be in possession of Yahoo information.

For users, the question now is what to do about it. Sophos senior security advisor John Shier outlined six steps you can take to protect yourself from this and all other data breaches:

Consumers need to be aware of targeted phishing scams, a socially engineered attack that cybercriminals use to lure people into clicking malicious URLS with malware. This is extremely important, now that personally identifiable information (PII) is in the wild as a result of this breach.

Change your Yahoo password and security questions immediately, especially if you use them on multiple accounts. As a rule of thumb, don’t use the same security questions and answers for all of your accounts.

Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos How to Pick a Proper Password video for creating stronger passwords.

Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.

Though it’s unclear if phishing played a part in enabling the 2013 Yahoo breach, the attack method has been the spark hackers used to breach other systems. Unfortunately, consumers remain easy prey when it comes to this type of scam.

In a recent Sophos survey of 1,250 consumers, nearly half of the respondents admitted they’re not familiar with phishing or perceive it as a low threat. More than 30% of those surveyed rated themselves as being extremely unprotected, unsure of being protected or completely unaware of phishing attacks.

I see #3 and #4 as two sides of the same die, and “using a password manager” as a third side of that. So I’d have made them into one tip that urged good passwords and simply referenced the “How to Pick a Proper Password” video to provide the details (though I may be biased because I made that video 🙂 In the video, we cover that whole “good password” die, including the what/why/how of password managers.

Don’t wait for someone else to tell you to change your password. Any time you feel vulnerable (if not more often…) you should take steps to change your password. Again, use a good password manager to do the heavy lifting.

How on earth do you change yr password & username I just can’t get onto the right web site to do it’s so complicated it not even accepting my original ones surely Yahoo could have explained it more clearly would like to go to a diff Email provider.